MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9d62212644e7554276dbc03ee5a6e6cf8b54676b073a040da69c4eddae60882. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9d62212644e7554276dbc03ee5a6e6cf8b54676b073a040da69c4eddae60882
SHA3-384 hash: 4c142ab8299740789b300f0bc88453bb692199f63fbe54f80be4df2913b0ec3e35090fca6b32b0a30bb53b3dc3771fa9
SHA1 hash: 1d484e028884e3b39880630844ab9f3fd35d947e
MD5 hash: 5df099ae1355e96aab45a59b3d624f3c
humanhash: ceiling-fifteen-hot-connecticut
File name:SecuriteInfo.com.Win64.Malware-gen.24589.26163
Download: download sample
File size:2'010'624 bytes
First seen:2025-06-11 05:26:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef8d4a7329b7ef282b569d08eff25452 (7 x LummaStealer, 1 x Smoke Loader, 1 x CoinMiner)
ssdeep 49152:C7pFINLkzbk2XFq6OE4jc4K41ypsrdLhXCMjNtfIHP9o8x0aREA0snJC:C7TINLkJXFqg4jc4K41qstI1o8qaKs
TLSH T1E3957B3D4185E28AFC35407A80B152D87536B332C12E2BFB9579E3639F0B2819F55BAD
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
407
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
2025-06-10_06836a7c777932561051ef8bc062e706_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer
Verdict:
Malicious activity
Analysis date:
2025-06-10 20:30:48 UTC
Tags:
auto-sch loader amadey botnet stealer rdp purehvnc netreactor auto-reg unlocker-eject tool gcleaner lumma autoit evasion telegram auto generic themida pastebin attachments attc-unc
Link:
https://app.any.run/tasks/02da2821-6412-4801-9dc9-7c6822f65a81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8882/
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.24589.26163.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684913b307b5e8c1cfe6377a
Tags:
virus krypt zpack
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/684913a5fd02ed5e05a35b67/reports/73069af4-2624-41ed-be51-a5b5c9cae9d9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c9d62212644e7554276dbc03ee5a6e6cf8b54676b073a040da69c4eddae60882
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e92985a6-f830-4520-b951-7aacb8d7986b
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1711886
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses threadpools to delay analysis
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1711886 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 11/06/2025 Architecture: WINDOWS Score: 92 39 Multi AV Scanner detection for submitted file 2->39 41 Joe Sandbox ML detected suspicious sample 2->41 43 Sigma detected: Rare Remote Thread Creation By Uncommon Source Image 2->43 8 SecuriteInfo.com.Win64.Malware-gen.24589.26163.exe 1 2->8         started        process3 signatures4 45 Writes to foreign memory regions 8->45 47 Allocates memory in foreign processes 8->47 49 Injects a PE file into a foreign processes 8->49 11 MSBuild.exe 3 8->11         started        15 conhost.exe 8->15         started        process5 dnsIp6 37 144.172.87.101, 49720, 49751, 49752 PONYNETUS United States 11->37 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 55 Writes to foreign memory regions 11->55 57 6 other signatures 11->57 17 chrome.exe 1 11->17         started        20 chrome.exe 11->20 injected 22 chrome.exe 11->22 injected 24 5 other processes 11->24 signatures7 process8 dnsIp9 29 192.168.2.4, 443, 49708, 49711 unknown unknown 17->29 26 chrome.exe 17->26         started        process10 dnsIp11 31 plus.l.google.com 142.250.80.78, 443, 49741 GOOGLEUS United States 26->31 33 www.google.com 142.251.40.164, 443, 49727, 49728 GOOGLEUS United States 26->33 35 5 other IPs or domains 26->35
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c9d62212644e7554276dbc03ee5a6e6cf8b54676b073a040da69c4eddae60882
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9d62212644e7554276dbc03ee5a6e6cf8b54676b073a040da69c4eddae60882/
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-06-11 00:52:50 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhlceetejz2vij3nxqb64wtont4lkrtwwbz2aqg2nhco3wxgbcba._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection discovery
Link:
https://tria.ge/reports/250611-f5ca1scm6t/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4d37f235-f44a-478b-9834-8353b92f3760
Unpacked files
SH256 hash:
c9d62212644e7554276dbc03ee5a6e6cf8b54676b073a040da69c4eddae60882
MD5 hash:
5df099ae1355e96aab45a59b3d624f3c
SHA1 hash:
1d484e028884e3b39880630844ab9f3fd35d947e
Link:
https://www.unpac.me/results/06c3710c-f136-4a13-aa37-4fe9b5e5f039/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9d62212644e7554276dbc03ee5a6e6cf8b54676b073a040da69c4eddae60882

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c9d62212644e7554276dbc03ee5a6e6cf8b54676b073a040da69c4eddae60882

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3560523/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/8882/

Comments